CA-1 Security Assessment and Authorization Policy and Procedures RISK STATEMENT
Management does not set a clear policy direction in line with business objectives and demonstrate a commitment to information security.
PRIORITY/BASELINE
P1 > LOW–Yes MOD–Yes HIGH–Yes REQUIRED BY
February 2016 CONTROL DESCRIPTION
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
IMPLEMENTATION STATE
The state organization shall establish a security assessment procedure.
STATE ORGANIZATION [To be determined]
COMPARTMENT [To be determined]
EXAMPLE
The organization has published a policy setting information security expectations for communicating to faculty, staff, business, IT, and other users.
BACK TO CONTENTS
CA-2 Security Assessments RISK STATEMENT
Objective reviews of information security are not regularly performed to determine the continuing suitability, capability, and effectiveness of the organization’s information security program.
PRIORITY/BASELINE
P2 > LOW–Yes MOD–Yes HIGH–Yes REQUIRED BY
February 2015
Texas Department of Information Resources | Office of the Chief Information Security Officer
SECURITY CONTROL STANDARDS CATALOG | CA–SECURITY ASSESSMENT AND AUTHORIZATION 45 CONTROL DESCRIPTION
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined
individuals or roles].
IMPLEMENTATION STATE
A review of the state organization’s information security program for compliance with these standards will be performed at least annually, based on business risk management decisions, by individual(s) independent of the information security program and designated by the state organization head or his or her designated representative(s).
STATE ORGANIZATION [To be determined]
COMPARTMENT [To be determined]
EXAMPLE
The organization has a defined information security program that includes:
a. Developing a plan and executing periodic assessments of security control effectiveness;
b. Identifying objective and qualified assessors; and
c. Reporting results of such assessment(s) to the appropriate stakeholders.
BACK TO CONTENTS
CA-3 System Interconnections RISK STATEMENT
Security breaches occur due to risks related to external parties not being identified and controlled.
PRIORITY/BASELINE
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
Office of the Chief Information Security Officer | Texas Department of Information Resources 46 CA–SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY CONTROL STANDARDS CATALOG
IMPLEMENTATION STATE
The organization authorizes all connections from internal/organization information system to other information systems outside of organization through the use of system connection agreements and monitors/controls the system connections on an ongoing basis.
STATE ORGANIZATION [To be determined]
COMPARTMENT [To be determined]
EXAMPLE
Interconnections to application systems are defined; a dataflow of information is available.
BACK TO CONTENTS
CA-4 Withdrawn BACK TO CONTENTS
CA-5 Plan of Action and Milestones RISK STATEMENT
Identified risks are not accepted, mitigated or responded to with actionable plans and decisions.
PRIORITY/BASELINE
P3 > LOW–Yes MOD–Yes HIGH–Yes REQUIRED BY
February 2017 CONTROL DESCRIPTION
The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
IMPLEMENTATION STATE
The state organization develops and updates, a plan of action and milestones for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
STATE ORGANIZATION [To be determined]
COMPARTMENT [To be determined]
Texas Department of Information Resources | Office of the Chief Information Security Officer
SECURITY CONTROL STANDARDS CATALOG | CA–SECURITY ASSESSMENT AND AUTHORIZATION 47 EXAMPLE
An organization tracks and reports on control deficiencies through a defined plan of action and milestone document.
BACK TO CONTENTS
CA-6 Security Authorization RISK STATEMENT
Responsibility for the IT program has not been defined.
PRIORITY/BASELINE
P2 > LOW–Yes MOD–Yes HIGH–Yes REQUIRED BY
February 2017 CONTROL DESCRIPTION
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].
IMPLEMENTATION STATE
The state organization authorizes the information system for processing before operations or when there is a significant change to the system.
A senior organizational official signs and approves the security accreditation.
STATE ORGANIZATION [To be determined]
COMPARTMENT [To be determined]
EXAMPLE
Each application system has a defined authorizing official.
BACK TO CONTENTS
CA-7 Continuous Monitoring RISK STATEMENT
Known violations of security policy are not properly mitigated due to ineffective compliance and/or self-assessment activities.
PRIORITY/BASELINE
P2 > LOW–Yes MOD–Yes HIGH–Yes REQUIRED BY
February 2017
Office of the Chief Information Security Officer | Texas Department of Information Resources 48 CA–SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY CONTROL STANDARDS CATALOG
CONTROL DESCRIPTION
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment:
organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-organization-defined frequency].
IMPLEMENTATION STATE
The state organization monitors the security controls in the information system on an ongoing basis.
STATE ORGANIZATION [To be determined]
COMPARTMENT [To be determined]
EXAMPLE
A continuous monitoring strategy such as automated and other periodic manual checkpoints is defined.
BACK TO CONTENTS
CA-8 Penetration Testing RISK STATEMENT
Vulnerabilities will not be validated or confirmed. The organization will be unable to assess their ability to withstand an attack directed at their information resources.
PRIORITY/BASELINE
P2 > LOW–No MOD–No HIGH–Yes REQUIRED BY
No required date CONTROL DESCRIPTION
The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].
IMPLEMENTATION STATE
No statewide control STATE ORGANIZATION [To be determined]
Texas Department of Information Resources | Office of the Chief Information Security Officer
SECURITY CONTROL STANDARDS CATALOG | CA–SECURITY ASSESSMENT AND AUTHORIZATION 49 COMPARTMENT
[To be determined]
EXAMPLE
Internal interfaces between application systems are accepted for usage.
BACK TO CONTENTS
CA-9 Internal System Connections RISK STATEMENT
Failure to establish formal authorization processes for restricting user access to internal system connections may result in unauthorized or unsecure connections to the network exposing sensitive or critical business applications.
PRIORITY/BASELINE
P2 > LOW–Yes MOD–Yes HIGH–Yes REQUIRED BY
February 2017 CONTROL DESCRIPTION
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
IMPLEMENTATION STATE
The state organization has a procedure for authorizing internal information resource connections.
STATE ORGANIZATION [To be determined]
COMPARTMENT [To be determined]
EXAMPLE
The organization has a process for accepting internal interfaces between application systems.
BACK TO CONTENTS
Office of the Chief Information Security Officer | Texas Department of Information Resources
50 CM–CONFIGURATION MANAGEMENT | SECURITY CONTROL STANDARDS CATALOG